botnet detector?

[Todd]

Hi All,

During the recent DDOS attacks, I have been getting
a lot of complaints from customers about eMail and browsers
not making connection. I thought it was just the bottleneck
caused by the DDOS network flood.

Now I am wondering, maybe they were part of the botnet.
Other than keeping their antivirus up to date, does
anyone have a favorite way of checking to see if someone
is part of a botnet?

I presume network traffic from the botnet will only occur
when triggered and the rest of the time be dormant.
So watching network traffic would only work during the
attack. Am I right?

Many thanks,
-T

 

[Todd]

This is a WinXP news group. Such a question is better served in a
malware related news group.

The following are suggested for future questions of this nature..

alt.comp.virus
alt.comp.anti-virus

I have a long history with the guys on this group and I
do appreciate what they bring to the table. But, I will look
over there too. Thank you for the tip.

What do you mean "recent DDoS attacks" ?

I was talking about the ones you hear on the news. The SpamHaus
attack in particular.

There are DDoS attacks taking

place everyday against a myriad of hosts some you may know or heard of
and some you most likely haven't heard of and others that have gone
unreported. It's like sayiong "during the recent rain storm" and fail to
provide a locality. Your stating "During the recent DDOS attacks..." has
no context.

As for whether you network is unwilling component of a Botnet. You have
to sniff the network and examine the traffic. Check you logs, routers
and border gateways. Install BotHunter on your network -
http://www.bothunter.net/

The user's manual would show up in Firefox 20, 64 bit for Linux. It
also give no clue as to which plugin it is looking for either.

What I am puzzled by is how this thing is used. Does it require
a two port firewall such as iptables? (I am good at iptables).
Or does it just sniff passing traffic? If it is just sniffing,
how does it get around targeted traffic from a switching hub?

I noticed they have a live CD in their future. Very cool.

In short, Botnets generate detectable network traffic.

All the time? Or only when triggered?

Thank you for the help!
-T

 

[Todd]

Hi All,

During the recent DDOS attacks, I have been getting
a lot of complaints from customers about eMail and browsers
not making connection. I thought it was just the bottleneck
caused by the DDOS network flood.

Now I am wondering, maybe they were part of the botnet.
Other than keeping their antivirus up to date, does
anyone have a favorite way of checking to see if someone
is part of a botnet?

I presume network traffic from the botnet will only occur
when triggered and the rest of the time be dormant.
So watching network traffic would only work during the
attack. Am I right?

Many thanks,
-T

How about Sysinternals "TCP View"? But would that only show when
the botnet was triggered?

 

[David H. Lipman]

How about Sysinternals "TCP View"? But would that only show when
the botnet was triggered?

No. I wrote sniff the network.

You are not going to catch nodes beaconing to a C2 server that way.

 

[David H. Lipman]

I have a long history with the guys on this group and I
do appreciate what they bring to the table. But, I will look
over there too. Thank you for the tip.

That may be be that's not how News Groups are used. The Botnet is a network, the infected
computers can be ANY OS on the network from Windows Servers to Linux. Therefore your
WinXP centricity is hurting your ability to get the propert information.

You don't ask a Harley Davidson group how to fix a Yamaha.